Merge branch 'Zettlr:develop' into develop

Author: krotesk

.yarn/releases/yarn-4.6.0.cjs

@@ -6,4 +6,4 @@ enableTelemetry: false
 
 nodeLinker: node-modules
 
-yarnPath: .yarn/releases/yarn-4.6.0.cjs
+npmMinimalAgeGate: "7d"

.yarnrc.yml

@@ -18,11 +18,33 @@
   `smooth`.
 - Fixed a small bug that could throw off switching between different file
   manager modes.
+- Fixed the cursor scroll margin again. This means that, after years of it not
+  working, as you type there will now be some margin towards the top or bottom
+  of the editor window, preventing the cursor to "stick" to the edge of the
+  editor.
+- Update `pt-PT` translations (#6282).
 
 ## Under the Hood
 
+- Switch from `sanitize-html` to `DOMPurify` for HTML sanitization, since the
+  latter has much, much less issues with various types of exotic XML-type tags
+  such as MathML.
+- Updated Electron to `v41.1.1`.
 - Security: Disallow any and all inline-JavaScript across all browser windows.
 - Security: Enforce loading remote resources using HTTPS.
+- Security: Generously spread HTML sanitization across the application. The
+  following changes have been made:
+  - Moved HTML sanitization to the edge (directly to the injection sinks)
+  - Removed HTML sanitization from the translation helpers. The reason is that
+    DOMPurify does not work out of the box in the main process, so we also
+    removed the sanitization from the renderer-translation helper. However, this
+    is safe since we do not insert the translations into HTML injection sinks.
+    Also, this way we can apply DOM sanitization at the edge, and no longer at
+    the beginning of the chain.
+  - This also means that HTML is no longer allowed in translation strings.
+  - Armed the `v-html`-rule again, and removed all `v-html` directives, and in
+    instances where this was not possible, explicitly disable this with a
+    reason.
 
 # 4.3.1
 

CHANGELOG.md

@@ -189,7 +189,7 @@ export default [
       // provided HTML to only contain safe tags. The only stuff we currently
       // put in there is translation strings, which we sanitise in the trans()
       // function. NOTE to keep this on my mind!
-      'vue/no-v-html': 'off'
+      'vue/no-v-html': 'error'
 
       ////////////////////////// END VUE RULES /////////////////////////////////
     }

eslint.config.mjs

@@ -76,33 +76,34 @@
     "@codemirror/lint": "^6.9.5",
     "@codemirror/search": "^6.6.0",
     "@codemirror/state": "^6.6.0",
-    "@codemirror/view": "^6.40.0",
+    "@codemirror/view": "^6.41.0",
     "@lezer/common": "^1.5.1",
     "@lezer/highlight": "^1.2.3",
     "@lezer/lr": "^1.4.8",
     "@lezer/markdown": "^1.6.3",
     "@replit/codemirror-emacs": "^6.1.0",
     "@replit/codemirror-lang-nix": "^6.0.1",
     "@replit/codemirror-vim": "^6.3.0",
-    "adm-zip": "^0.5.16",
+    "adm-zip": "^0.5.17",
     "archiver": "^7.0.1",
     "astrocite": "^0.16.4",
     "bcp-47": "^2.1.0",
-    "biblatex-csl-converter": "^3.4.0",
+    "biblatex-csl-converter": "^3.5.5",
     "chalk": "^5.6.2",
     "chokidar": "^5.0.0",
     "citeproc": "^2.4.63",
     "d3": "^7.9.0",
+    "dompurify": "^3.3.3",
     "fix-path": "^5.0.0",
     "gemoji": "^8.1.0",
-    "gettext-parser": "^9.0.1",
+    "gettext-parser": "^9.0.2",
     "got": "^11.8.6",
     "katex": "^0.16.44",
     "ky": "^1.14.3",
     "lang-criticmarkup": "^0.3.0",
     "luxon": "^3.7.2",
     "md5": "^2.3.0",
-    "mermaid": "^11.13.0",
+    "mermaid": "^11.14.0",
     "nodehun": "^3.0.2",
     "pinia": "^3.0.4",
     "rehype-parse": "^9.0.1",
@@ -136,13 +137,12 @@
     "remark-stringify": "^11.0.0",
     "rimraf": "^6.1.3",
     "sanitize-filename": "^1.6.4",
-    "sanitize-html": "^2.17.2",
     "semver": "^7.7.4",
     "tippy.js": "^6.3.7",
     "underscore": "^1.13.8",
     "unified": "^11.0.5",
     "uuid": "^13.0.0",
-    "vue": "^3.5.31",
+    "vue": "^3.5.32",
     "vue-virtual-scroller": "^2.0.0-beta.8",
     "w3c-keyname": "^2.2.8",
     "yaml": "^2.8.3"
@@ -162,11 +162,11 @@
     "@electron-forge/maker-zip": "^7.11.1",
     "@electron-forge/plugin-fuses": "^7.11.1",
     "@electron-forge/plugin-webpack": "^7.11.1",
-    "@electron/fuses": "^2.1.0",
+    "@electron/fuses": "^2.1.1",
     "@electron/notarize": "^3.1.1",
     "@eslint/config-inspector": "^1.5.0",
     "@stylistic/eslint-plugin": "^5.10.0",
-    "@types/adm-zip": "^0.5.7",
+    "@types/adm-zip": "^0.5.8",
     "@types/archiver": "^7.0.0",
     "@types/command-exists": "^1.2.3",
     "@types/d3": "^7.4.3",
@@ -176,33 +176,32 @@
     "@types/md5": "^2.3.6",
     "@types/mocha": "^10.0.10",
     "@types/node": "^22.19.15",
-    "@types/sanitize-html": "^2.16.1",
     "@types/semver": "^7.7.1",
     "@types/showdown": "^2.0.6",
     "@types/underscore": "^1.13.0",
-    "@typescript-eslint/eslint-plugin": "^8.57.2",
-    "@typescript-eslint/parser": "^8.57.2",
+    "@typescript-eslint/eslint-plugin": "^8.58.0",
+    "@typescript-eslint/parser": "^8.58.0",
     "@vercel/webpack-asset-relocator-loader": "1.7.3",
     "copy-webpack-plugin": "^14.0.0",
     "cross-env": "^10.1.0",
     "css-loader": "^7.1.4",
     "csso": "^5.0.5",
-    "electron": "^40.8.0",
+    "electron": "^41.1.1",
     "electron-builder": "^26.8.2",
     "electron-devtools-installer": "^4.0.0",
     "eslint": "^10.1.0",
     "eslint-plugin-import": "^2.32.0",
     "eslint-plugin-n": "^17.24.0",
     "eslint-plugin-promise": "^7.2.1",
     "eslint-plugin-vue": "^10.8.0",
-    "jsdom": "^27.4.0",
+    "jsdom": "^29.0.1",
     "less": "^4.6.4",
     "less-loader": "^12.3.2",
     "mocha": "^11.7.5",
     "node-loader": "^2.1.0",
     "nyc": "^18.0.0",
     "style-loader": "^4.0.0",
-    "ts-loader": "^9.5.4",
+    "ts-loader": "^9.5.7",
     "ts-node": "^10.9.2",
     "tsconfig-paths": "^4.2.0",
     "typescript": "^5.9.3",

package.json

@@ -455,9 +455,11 @@ export default class UpdateProvider extends ProviderContract {
 
     // Adapt the rest of the state
     state.tagName = parsedResponse.tag_name
+    // NOTE: We do not sanitize the HTML here. Instead we sanitize it in the
+    // update window directly.
     state.changelog = await md2html(parsedResponse.body, {
       onCitation: (_c1, _c2) => undefined,
-      zknLinkFormat: 'link|title', sanitizeHTML: true
+      zknLinkFormat: 'link|title'
     })
     state.prerelease = parsedResponse.prerelease
     state.releasePage = parsedResponse.html_url

source/app/service-providers/updates/index.ts

@@ -12,7 +12,6 @@
  * END HEADER
  */
 
-import sanitizeHtml from 'sanitize-html'
 import { po, type GetTextTranslations } from 'gettext-parser'
 import getLanguageFile from './util/get-language-file'
 import { promises as fs } from 'fs'
@@ -82,12 +81,5 @@ export function trans (msgid: string, ...args: any[]): string {
     transString = transString.replace('%s', String(a)) // Always replace one %s with an arg
   }
 
-  // Finally, before returning the translation, sanitize it. As these are only
-  // translation strings, we can basically only allow a VERY small subset of all
-  // tags.
-  const safeString = sanitizeHtml(transString, {
-    allowedTags: [ 'em', 'strong', 'kbd' ]
-  })
-
-  return safeString
+  return transString
 }

source/common/i18n-main.ts

@@ -13,7 +13,6 @@
  * END HEADER
  */
 
-import sanitizeHtml from 'sanitize-html'
 const ipcRenderer = window.ipc
 
 let i18nData: any
@@ -65,12 +64,5 @@ export function trans (msgid: string, ...args: any[]): string {
     transString = transString.replace('%s', String(a)) // Always replace one %s with an arg
   }
 
-  // Finally, before returning the translation, sanitize it. As these are only
-  // translation strings, we can basically only allow a VERY small subset of all
-  // tags.
-  const safeString = sanitizeHtml(transString, {
-    allowedTags: [ 'em', 'strong', 'kbd' ]
-  })
-
-  return safeString
+  return transString
 }

source/common/i18n-renderer.ts

@@ -165,6 +165,7 @@ function getCoreExtensions (options: CoreExtensionOptions): Extension[] {
   const themes = getMainEditorThemes()
 
   return [
+    EditorView.cursorScrollMargin.of({ x: 50, y: 50 }), // Corresponds to the padding set to the MainEditor.vue for now
     // Both vim and emacs modes need to be included first, before any other
     // keymap.
     inputModeCompartment.of(inputMode),

source/common/modules/markdown-editor/editor-extension-sets.ts

@@ -21,6 +21,7 @@ import { CITEPROC_MAIN_DB } from '@dts/common/citeproc'
 import { citationMenu } from '../context-menu/citation-menu'
 import { configField } from '../util/configuration'
 import { type Citation, NODES, nodeToCiteItem } from '../parser/citation-parser'
+import DOMPurify from 'dompurify'
 
 class CitationWidget extends WidgetType {
   constructor (readonly citation: Citation, readonly rawCitation: string, readonly node: SyntaxNode) {
@@ -67,7 +68,7 @@ class CitationWidget extends WidgetType {
     const elem = document.createElement('span')
     elem.classList.add('citeproc-citation')
     if (renderedCitation !== undefined) {
-      elem.innerHTML = renderedCitation
+      elem.innerHTML = DOMPurify.sanitize(renderedCitation)
     } else {
       elem.innerText = this.rawCitation
       elem.classList.add('error')